Closed Bug 982754 Opened 7 years ago Closed 7 years ago
Some self-signed certificates incorrectly trigger SEC
_ERROR _INADEQUATE _KEY _USAGE
Self-signed certificates used for https Web Server Authentication that don't have certificate signing key usage are rejected with SEC_ERROR_INADEQUATE_KEY_USAGE. It is a problem because you can't override SEC_ERROR_INADEQUATE_KEY_USAGE with an exception, and some testing environment use those kind of self-signed certificate. For example, all self-signed certificates generated by IIS (Microsoft web server) have this pattern. Moreover, self-certificates used for https will never be used as a CA root, so that doesn't really make sense to give them the certificate signing key usage.
It seems like we need to revert the changes we made in bug 975122 for SEC_ERROR_INADEQUATE_KEY_USAGE in classic mode. This means we also probably need to change the order in which things are checked in insanity::pkix, so that the issuer-independent properties of end-entity certificates are checked after the cert chain is built and before revocation checking is done.
Component: Security → Security: PSM
Product: Firefox → Core
Target Milestone: --- → mozilla30
Brian - let me know what you think of this. It allows the override specific to the situation in bug 978797 for classic verification but doesn't change anything about insanity::pkix verification. (This has the side-effect of allowing any inadequate key usage overrides for classic verification.)
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8390906 - Flags: review?(brian)
Comment on attachment 8390906 [details] [diff] [review] patch Review of attachment 8390906 [details] [diff] [review]: ----------------------------------------------------------------- Hi, I want to concentrate my contributions on the insanity::pkix-related stuff for the immediate future. Please have Camilo review this.
Attachment #8390906 - Flags: review?(brian) → review?(cviecco)
Attachment #8390906 - Flags: review?(cviecco) → review+
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
https://e-shop.pcshop.ua/Catalog.aspx don`t work with latest nightly build 31, I downloaded the latest version today
firefox-31.0a1.en-US.win64-x86_64.zip 18-Mar-2014 11:56 works very well!!!
31.0a1 (2014-03-18) validated against self-signed certs created by IBM Power Systems Hardware Management Consoles. Thanks team!
Is it supposed to be uplifted on Aurora? And looks like Target Milestone: should be set to mozilla31. This patch has landed after version bump.
(In reply to Alexander L. Slovesnik from comment #9) > Is it supposed to be uplifted on Aurora? And looks like Target Milestone: > should be set to mozilla31. This patch has landed after version bump Right - this landed in 31. I don't think there are plans to uplift at the moment.
Target Milestone: mozilla30 → mozilla31
(In reply to David Keeler (:keeler) from comment #10) > (In reply to Alexander L. Slovesnik from comment #9) > > Is it supposed to be uplifted on Aurora? And looks like Target Milestone: > > should be set to mozilla31. This patch has landed after version bump > > Right - this landed in 31. I don't think there are plans to uplift at the > moment. We need to uplift this through Firefox 29 beta. Otherwise there wasn't any point in doing it.
My understanding is bug 975122 caused this, which landed on 30 and wasn't uplifted.
Comment on attachment 8390906 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 975122 User impact if declined: inability to add certificate overrides in some cases Testing completed (on m-c, etc.): landed on m-c, has automated tests Risk to taking this patch (and alternatives if risky): low String or IDL/UUID changes made by this patch: none
Attachment #8390906 - Flags: approval-mozilla-aurora?
Attachment #8390906 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Still affecting FF31.0a1 (2014-04-03) for self signed cert that was working up until a few days ago.
Cam, can you file a new bug (basically, you can clone this one) with either a public-facing URL or a copy of a certificate that has this issue? Thanks.
(In reply to David Keeler (:keeler) from comment #16) > Cam, can you file a new bug (basically, you can clone this one) with either > a public-facing URL or a copy of a certificate that has this issue? Thanks. Done.
I got the bug on https://cloud.turmel.info/ I can't get the cert.
For turmel.info the certificate presented is self signed with a basic constriaints extension with an explicit cA Boolean (is CA) set to true. We are no longer accepting CA certificates to be valid end-entity certificates. Here is the pem: -----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIJAM0VcQK2/CbvMA0GCSqGSIb3DQEBBQUAMIGOMQwwCgYD VQQIDANOL0ExCzAJBgNVBAYTAkZSMRYwFAYDVQQDDA1ncnVtcGZmZi5pbmZvMRcw FQYDVQQKDA5SYXlzYSBOZXR3b3JrczEgMB4GCSqGSIb3DQEJARYRcmF5LWNvbUBy YXlzYS5vcmcxHjAcBgNVBAcMFUxlIE1lc25pbCBTYWludCBEZW5pczAeFw0xMzA5 MTUxNzE2NDJaFw0xNDA5MTUxNzE2NDJaMIGOMQwwCgYDVQQIDANOL0ExCzAJBgNV BAYTAkZSMRYwFAYDVQQDDA1ncnVtcGZmZi5pbmZvMRcwFQYDVQQKDA5SYXlzYSBO ZXR3b3JrczEgMB4GCSqGSIb3DQEJARYRcmF5LWNvbUByYXlzYS5vcmcxHjAcBgNV BAcMFUxlIE1lc25pbCBTYWludCBEZW5pczCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAJvmJUNMOXdRnj2TZ1rrovHcTy0BL24iegDe8HtwICIMzTioNvYi I81E0F/kLlyEJo/bbBtvY3Ypy1xsJKMgfT6jZ2QoyPVCG1Kz5k7PAaHHqfBsLlTn e69C5ok5zlfZzjC9YFENKGfEB/pAcKl7IMQmf4B1VIw5OhV+pQuIOO8we1ne34A/ Xm+9HeQAUznOo9h4J5YHF2Tt+YDMppj0YLR6MOnC1ADnEt1s88jtNLXWYg2ZdmFq nIVpW/k32B0tBoRwx3KuOojrr81gG+OnKacOVzfHl0Zby7nrKlb4zlF2R/ubhyY6 M9DyEjsPUjUY5P8lIMIcDWJk9IqYF1Rnc1ECAwEAAaNQME4wHQYDVR0OBBYEFJNt 7G+3d9MeH8wmeJlW9ygEteq8MB8GA1UdIwQYMBaAFJNt7G+3d9MeH8wmeJlW9ygE teq8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAFcFnu25BoLYlTTc bk2oFqmGpCMf7UPNSurSXQ73xCvU3mDyp1+nnpTbFuuiGgx/eDXtdMH4ukzZWOAi +HxDhaTfDY1LxGlmrvI74hYunNWPEpG/6Ury+My7ZLBScSNVYjzne4Yk3TtqBzop WNLRzgIVn/Se4ZW9PN/tGaYvJDgRMNo0WdLR/BACgpAlZYtd86YomtSWfRKYmFi+ NM1hXXZAvxyQTX4nVs5JUPbri1Bik6pjZYvTEzhOyRO1GSgo2Kf/e6EPgpWunShp //p9Ig0tAbC9HL9zHnjUGFR/FnRcrJxe6WdbNlHrOMtt9mOAlE6VaZ75S/9dlNAU l0lAPhs= -----END CERTIFICATE-----
I am having the same issue using Microsoft Family Safety. Family Safety has it's own CA which it uses to created self-signed copies of the actual certificates used. So when you visit https://www.google.com for example, the certificates appears to be signed by the Family Safety CA, rather than the actual CA used by google.com. Since FF30 has this problem with IIS certificates and Family Safety uses one of these "problem" certificates, the end result is that all FF30 users who use Family Safety are no longer able to access HTTPS website.
I wonder if this issue relates to another SSL issue I am having with FF30. https://bugzilla.mozilla.org/show_bug.cgi?id=1021515
Please clean-up/remove associated CA certificate and/or certificate from certificate store. Using "Advanced -> Certificates -> View Certificates ..."
As the feature" is still present in Firefox ESR 31.3.0, I feel I have to comment: (In reply to Sébastien Desvignes from comment #0) > It is a problem because you can't override SEC_ERROR_INADEQUATE_KEY_USAGE That's the most essential point of it: You may enhance the security whatever way you like, but give users a chance to override the new restrictions. In my case I'm using a commercial product that includes it's own web server and certificate generated during installation. While it's possible to replace the standard certificate, the user may have priority on using his product over having better security, especially when working in an intranet anyway...
To complete my comment #23: And the explanation presented to the user in case of this error does not provide enough information (specifically the option to view the rejected certificate is missing) for an IT professional to find out what Firefox is actually complaining about (details, please!)
Ulrich, this was fixed in 30, so ESR 31 shouldn't be having a problem with this. Please file a new bug with the error code you're seeing and steps to reproduce. In particular, a copy of the public part of the certificate the server is sending will be helpful. Thanks.
(In reply to David Keeler (:keeler) [use needinfo?] from comment #25) > (...) Please file a new bug ... Done: bug 1113506
You need to log in before you can comment on or make changes to this bug.